The SonicWall Capture Labs Threat Research Team have observed a dropper Trojan that drops ransomware as well as crypto miner software. In this case, a variant of the Shade ransomware is dropped and a crypto coin miner that mines ZCash (ZEC).

Once executed, it displays CF4ED5F2CF4ED5F2.bmp on the desktop background:

It also displays the following russian text file: FA375141.rtf

The Trojan encrypts files on the system and renames them to {encrypted filename}.crypted000007.

In addition to ransomware, a crypto miner is also dropped onto the system. Rather than mining Bitcoin, it mines ZCash (ZEC) which is worth $283/ZEC USD at the time of writing. nheqminer32.exe can be seen running in the process list:

The address accumulating the rewards is t1L9iBXyRgaYrQ5JSTSdstopV6pHtZ2Xdep. Mining activity can be observed by visiting the zcash.flypool.org website:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signature: